The field of the present invention relates generally to cryptographic systems.
Public-key cryptographic systems allow two people to exchange private and authenticated messages without requiring that they first have a secure communication channel for sharing private keys. One of the most widely used public-key cryptosystem is the RSA cryptosystem disclosed in U.S. Pat. No. 4,405,829. The RSA cryptosystem is currently deployed in many commercial systems. It is used by web servers and browsers to secure web traffic, it is used to ensure privacy and authenticity of e-mail, it is used to secure remote login sessions, and it is at the heart of electronic credit-card payment systems. In short, RSA is frequently used in applications where security of digital data is a concern.
According to public-key cryptosystems such as the RSA cryptosystem, each person has a unique pair of keys: a private key that is a secret and a public key that is widely known. This pair of keys has two important properties: (1) the private key cannot be deduced from knowledge of the public key alone, and (2) the two keys are complementary, i.e., a message encrypted with one key of the pair can be decrypted only with the complementary key. In these systems, both the public key and the private key in a pair are generated together as the output of a key generation algorithm that takes as input a random seed. Consequently, in these cryptosystems, people cannot choose a desired public or private key, but must simply use the keys that are generated for them by a key generation algorithm. This has the disadvantage that others cannot encrypt messages to a person until that person generates and publishes a public key. Another problem with this type of cryptosystem is that an impostor can publish a public key and claim that it belongs to someone else. To address this issue, a trusted certificate authority (CA) is used to authenticate individuals and certify to others that the individual's public key is authentic. Unfortunately, this adds complexity to the cryptosystem since a sender must obtain a certificate for every receiver, and must obtain a new certificate every time an existing certificate expires. It also requires receivers to create public keys, publish them, register certificates with the CA, and renew such certificates when they expire.
In 1984 Shamir envisioned a new type of public key encryption scheme (described in A. Shamir, “Identity-based cryptosystems and signature schemes”, in Advances in Cryptology—Crypto '84, Lecture Notes in Computer Science, Vol. 196, Springer-Verlag, pp. 47-53, 1984). According to Shamir's scheme, a person's public key consists of a public identifier, which may be the person's name and network address, or combination of name and e-mail address, social security number, street address, telephone number, or office address. Because the public key is the person's pre-existing public identifier (ID) rather than a key produced from a random seed, this kind of public key cryptosystem is called an identity-based encryption (IBE) scheme. Shamir, however, did not provide a concrete, practical IBE cryptosystem. In fact, Shamir argued that existing cryptosystems (such as RSA) could not be adapted to realize a secure IBE cryptosystem.
In the years since Shamir proposed his IBE scheme there have been several attempts to realize an identity-based cryptosystem. Some proposals require that users not collude. Other proposals require the private key generator (PKG) to spend an impractically long time for each private key generation request. Some proposals require tamper resistant hardware.
In short, there remains a need for improved cryptographic methods and systems.